• Chart: May 2006 Security Communications Summary

Three patches, two critical and one moderate, were released on the May 2006 "Patch Tuesday." The first critical patch fixes a problem that could allow an attacker to take full control of an Exchange server through the way Exchange processes calendar data. However, applying the security bug fix also applies a change to Exchange functionality that could stop some applications from working. The other critical patch fixes problems in the Adobe Flash Player, and because Microsoft distributed the Flash Player, it will also distribute Adobe's patch.

Two Critical Patches

The critical patch for Exchange Server fixes a remote code execution vulnerability that could allow an attacker to take complete control of an affected Exchange Server. The vulnerability exists in the Collaboration Data Objects for Exchange (CDOEX) and Exchange Collaboration Data Objects (EXCDO), which provide programmatic interfaces for Exchange Server to process certain messages on behalf of other applications and services. To exploit the vulnerability, an attacker would have to send a message with specially crafted Virtual Calendar (vCAL) or Internet Calendar (iCAL) properties to an unpatched Exchange Server. vCal and iCAL are MIME content types used by Exchange and e-mail clients when sending information related to calendars and scheduling.

However, the May security update for Exchange will also patch another Exchange feature, Send As, and could cause some applications to break. The Send As feature allows a secondary user to send e-mail that appears to come from a different user's mailbox if the mailbox owner has granted the secondary user access to their mailbox. Some applications take advantage of this function to permit individuals to send mail from another account. For example, a customer service representative named John Doe, with the e-mail account johndoe@company.com, can send mail to customers that appears to be coming from CustomerService@company.com. At the request of customers who wanted more granular control over mailbox accounts and permissions, Microsoft earlier released a change that prevented an account with access to another account's mailbox to send messages that appeared as if they were sent by the mailbox owner, and some organizations had not yet deployed the Send As fix because of its impact on their business processes and applications. If those organizations apply the May security update for the calendar vulnerability, they will also change the Send As function and will then have to assign specific Send As permissions for a user or application to send "on behalf of" a second user or account.

The second critical patch addresses two vulnerabilities in the way that the Macromedia Flash Player handles Flash Animation (SWF) files. The vulnerabilities could allow an attacker to take full control of an affected computer.

Previously, Microsoft and Adobe (which acquired Macromedia, longtime developers of Flash, in Dec. 2005) had recommended that users upgrade to a newer version of the Flash Player that did not contain the vulnerability, but because Microsoft distributed the Flash Player with some versions of Windows, and because some users may not have upgraded to the newer non-affected Flash Player, Microsoft is distributing an Adobe patch to fix the bug in the versions of the Player initially shipped with Windows.

Microsoft has issued a Knowledge Base article to help customers with installation problems that show up in cases where multiple versions of Flash Players have been installed and uninstalled.

Moderate Patch

Microsoft also issued a patch for a moderate vulnerability in the Microsoft Distributed Transaction Coordinator (MSDTC), a Windows service that helps developers implement a two-phase commit protocol for their applications. An attacker could send a specially crafted network message to an affected system that would stop the transaction coordinator from responding. This denial of service vulnerability would not allow an attacker to execute code or to elevate their user rights, but it could cause the MSDTC to stop accepting requests.

Microsoft also released two important nonsecurity updates in May—the monthly update to the junk e-mail filter in Office Outlook 2003, and an update for Office OneNote 2003 to fix a problem where a pen stroke is visible only as long as the pen is touching the screen.

The Malicious Software Removal Tool was updated to detect and remove three more pieces of malware: Win32/Evaman, Win32/Ganda, Win32/Plexus.

Microsoft also reissued the MS06-015 update, originally released on April's patch Tuesday, because some customers with Hewlett Packard Share-to-Web software or NVIDIA drivers were experiencing a problem with the patch. Customers who have already applied the MS06-015 update and are not experiencing the problem need take no action.

Microsoft also reminded customers that the end of public security support for Windows 98, Windows 98 Second Edition, and Windows Millennium Edition is July 11, 2006. The end of public security support for Windows XP Service Pack 1 is Oct. 10, 2006. After these dates there will be no new security bulletins and patches for vulnerabilities found in these products. In addition, customers currently using Software Update Services (SUS) version 1.0 need to upgrade to Windows Server Update Services (WSUS), Microsoft's free software for an organization to distribute patches, by Dec. 6, 2006, when support for SUS ends.

Resources

Information about updates released in May. 2006 can be found at www.microsoft.com/technet/security/current.aspx.

The latest version of the Malicious Software Removal Tool can be executed from www.microsoft.com/security/malwareremove/default.mspx.

A Knowledge Base article with details of the change to Send As functionality is located at support.microsoft.com/kb/895949.

Information on third-party applications potentially affected by the change to Send As functionality is available in the Knowledge Base article at support.microsoft.com/kb/912918.

A Knowledge Base article detailing workarounds for installation problems with the MS06-020 patch for the Flash Player can be found at support.microsoft.com/default.aspx/kb/913433.